BYOD: protect the information, not the device

According to a survey conducted by Znet and TechRepublic, up to 62 percent of organizations will have moved closer to implementing a “bring your own device” (BYOD) program by the end of 2013. Other sources peg the number of organizations with programs at 36 percent by 2016, and a Gartner survey says it will 50 percent by 2017. Regardless of exactly where the number falls, one thing is for certain: the BYOD cat is out of the bag. An increasingly mobile workforce coupled with improved connectivity means that companies are turning to the options to make sure their work force is connected at all times.

But while a BYOD program can offer some level of flexibility to the workforce, it is not without risks. The combination of fuzzy discovery regulations rules and possibility of leaving a phone filled to the brim with corporate secrets on a city bus could keep any sufficiently engaged GC up at night. For the risk adverse, the only concrete solution could be to purchase hardware for the team, or opt to keep work and personal lives totally separate (a dubious proposition in an always-on world.)

For the larger portion of companies, BYOD is inevitable, so understanding the challenges inherent is essential. Even proponents of BYOD agree that there are situations where a company may need to stick with the corporately assigned BlackBerry, but the technology is getting better, and precedents set by others with successful platforms give new adopters something to shoot for.

“First and foremost, you want to involve your GC or your chief legal officer very early in the process when it comes to BYOD,” says Ryan Kalember, chief product officer and info security expert at Watch Dox. Internal legal resources should not only have awareness a BYOD program will be implemented, but may be able to ask tough questions during the design process, realistically gauging whether the risk is worth it. Plus, they’ll be able to ensure that the agreements employees adhere to protect the company should it opt for the mobile option.

Kalember also says that while device management is generally the fail-safe of a BYOD program. With an increasingly amorphous data ecosystem surrounding each worker, focus should be given to the information access versus managing whichever device it is transiently occupying. “I think device management practices are not necessarily less useful, but because most organizations with BYOD policies have employees that are not only bringing their own devices, they’re moving data between devices in a way the enterprise can’t be fully aware of, the only sensible way to look at regulated is to do so in a ‘data-centric’ way.”

The data-centric approach focuses more on the permissions of who can access what via any platform versus what is stored on the device that the employee uses for both work and personal matters. “You want that data carrying its protection with it wherever it goes because it’s now possible for that data to proliferate across the world. People can duplicate it on USB sticks, or across their various mobile devices or sync it to Dropbox. If the information carries its protection with it, you’ll have a much easier time establishing an audit trail to know where and with who that data is.”

More lock tight data protection means that regardless of the device, no one but the intended parties will be able to gain access to information, making BYOD easier to implement and maintain. Similarly, “containerization” software ensures that separate space is dedicated to both work and personal information.

But regardless of how rock-solid the technology protecting the device your employees use is, you can still run into issues with your employee’s mobile devices.

“Say you’re at a tech company and you’re at tradeshow, and one your sales engineers is there and he sees a competitor is using a newer version of their software that has yet to be released, and he decides to take a picture and gets caught. Your company is going to be suited based on what the employ did, and the discovery requests are going to require you to turnover what’s on that employee’s device. If there’s no BYOD policy anyways can you even do it? That gets really murky really fast,” Kalember says.

The right choice for BYOD is not always the easy one, and in some cases the acquisition of phones specifically for your workforce may be the best bet. However looking at the root of what it is your trying to protect on a BYOD phone, and there may be other options, less expensive and more flexible at your disposal.